Howto: Preserve your saved passwords when changing desktop environments

felagund

There are many threads on this issue but the solutions are buried deep in the comments, so I thought I would write this up as it hurt me today.

The problem
On Linux, Vivaldi uses by default the system's keyring to encrypt the passwords it stores (details). So, when you change a desktop environment (DE), say from GNOME to KDE, simply reusing your profile under ~./config/vivaldi will not preserve your passwords. They will still be there under YOUR_PROFILE_NAME/Login Data, but Vivaldi won't be able to read them. What is worse, it also won't be able to save new passwords. Vivaldi will try to use your new DE's keyring to decrypt the passwords encrypted by the old DE's keyring, which obviously fails.

The solution
Export the passwords into a CSV file before migrating and then import them after migrating.
Caveats
Export does not work.
Try it twice. There is a bug when you try it for the first time.

You have already installed the new DE.
The passwords are still there. Install the previous DE (or use a LiveUSB) and the export/import should work. You just need to make sure to you have Vivaldi's profile and either of the following in your home folder:

#KDE
~/.kde/share/apps/kwallet/*
~/.kde/share/config/kwallet*
#GNOME keyring:
~/.local/share/keyrings/*

Import does not work
Try moving the file Login Data in your Vivaldi's profile elsewhere. Vivaldi, it seems, won't try to overwrite a file containing passwords that it can't read.

I have only my old Vivaldi's profile, all other files (including the keyrings) from my old Linux profile are lost.
That is not great. You can try cracking the GNOME or KDE keyrings, which could be possible.

Pathduck

@felagund Very useful guide!

I'm not sure about the details for Linux, but would it work if the new keyring uses the exact same password? On Windows, it uses DPAPI credentials tied to your user account so changing the account will make the passwords impossible to decrypt.

One important detail is that the primary key for decrypting passwords is stored in the Local State file as JSON data:
"os_crypt":{"encrypted_key":"<key>"}

I'm wondering if this is different on Linux, if the value of encrypted_key changes when you change DE (or user account) it won't matter if the password to the keyring uses the same password of course.

felagund

There also seem to be some threads that are connected to Sync:
https://forum.vivaldi.net/topic/69382/5-0-version-lost-sync-when-installed
https://forum.vivaldi.net/topic/66832/issue-with-password-sync/
https://forum.vivaldi.net/topic/48580/vivaldi-not-storing-passwords/
(one of my symptoms was that Vivaldi would ask me for a Sync password but would not sync the passwords at all despite them being saved on my phone).

felagund

@pathduck I am actually not sure how it works deep down. I use autologin, and when I moved from GNOME (eh, Unity) to KDE, KDE asked me for a password for KDE Wallet. I tried to enter something, but that failed. I then tried to set KDEWallet password to blank and disable KDE Wallet but neither helped. So I guess the default password for autologin is different for GNOME and KDE. Not sure how it works when somebody actually uses passwords.

I think that for autologins, this is actually just security by obscurity - principially there must be a way to unlock the keyring somehow and it does not matter that much if the passwords are stored in plaintext or through a phrase that resides somewhere else in the file system. With no autologins, typically you unlock the keyring by logging in - and I have the same password now as before. So I doubt same password helps.

Pathduck

@felagund I guess you could compare the values of encrypted_key - but not even sure if this is used on Linux TBH. If the key and the keyring password are the same, decryption should work - in theory...

felagund

There is not string "crypt" in my ~./config/vivaldi/Local State`, so that's that:-).

A Former User

IIUC, it could possibly have an easier solution if you knew how to correctly mess with FDO secrets –

chromium uses the FDO secrets service, usually provided by those keyrings
the actual method used to store secrets should be implementation-dependent, but
the interface of the service must be the same, thus
chromium (and vivaldi) shouldn’t recognise it was launched with a different FDO secrets provider, and so
if you managed to obtain the secret (which i assume is somewhat of an equivalent of that encrypted_key thing) and put it into the other keyring before letting vivaldi interact with it, vivaldi could maybe work with both keyrings (if you switch from one DE to the other repeatedly)

please note that this is just a wild guess not based on any extra research.

an alternative solution could be getting rid of one of the keyrings and running the other in both DEs, or using one that isn’t tied to either DE. the success of this quite depends on the interlockedness of the DEs though.

felagund

@potmeklecbohdan said in Howto: Preserve your saved passwords when changing desktop environments:

IIUC, it could possibly have an easier solution if you knew how to correctly mess with FDO secrets –

It would certainly have been a neater solution, but I kind of doubt the "easier" part:-). I would love for somebody to try and report back.

guigirl

@felagund Nice compilation / distillation!

Sidenote: I know everyone will make their own personal determination, but IMO browser passwords saved should only be the "trivial" ones, like social [vomit] media & fora. All "real" passwords/accounts [eg, financial, corporate, governmental, favourite handbag shop] should be stored extra-browser, in a dedicated encrypted password manager [wherein one would also store those trivial ones, as backup to the browser's internal store].

@pathduck said in Howto: Preserve your saved passwords when changing desktop environments:

for Linux, but would it work if the new keyring uses the exact same password?

No. Over the years i've copied my V Default profile between numerous Nix distros [same password], & the only reliable way that V doesn't lose its saved passwords is if i'm copying from a Gnome-based distro to ditto, or from KDE to ditto. Cross-jumping, ie, necessitating Gnome-Keyring vs KDE Plasma Wallet, iirc leads to lost passwords. Ditto Nix to/from windoze. However, coz i try to stick with my personal policy per above, recreating those comparatively few passwords from my password manager, once i've deleted the original Login Data file, is trivial.

@felagund said in Howto: Preserve your saved passwords when changing desktop environments:

KDE asked me for a password for KDE Wallet. I tried to enter something, but that failed. I then tried to set KDEWallet password to blank and disable KDE Wallet but neither helped

I love Plasma, but its Wallet service really sucks. Over the years i've had various installations where it's simply worked sweetly & never bothered me, yet other installations [= different distros] where Wallet simply behaved like an unmitigated pile of steaming donkey doos... If you search online [which you doubtless have], you'll see over long years a plethora of posts from confused/desperate/angry users begging/demanding help for their out of control Wallets, with a smaller but not negligible cohort of reply posts from exasperated KDE Devs trying to explain/defend/deflect.

@potmeklecbohdan said in Howto: Preserve your saved passwords when changing desktop environments:

correctly mess with FDO secrets